PRIVACY NOTICE according to Article 14 (5) (b) GDPR
Article 14 of the GDPR stipulates the information to be provided where personal data have not been obtained from the data subject. Paragraph 5 (b) of this Article provides for an exemption if such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. In this case, subject to the conditions and safeguards referred to in Article 89(1) GDPR, the controller shall take appropriate measures to protect the data subject's rights and freedoms and legitimate interests, including making the information publicly available.
As part of the S4AllCities H2020 research project (Grant Agreement No. 883522) research activities are carried out that involve human participants.All types of the S4AllCities research activities (questionnaires, workshops, pilot demonstrations, other testing activities) mainly and as a rule involve volunteers that are informed about their participation and about the processing of their personal data via relevant information sheets which are distributed to them together with informed consent forms prior to their participation and prior to the data processing, respectively. The data are obtained by the data subjects based on their consent.
As the only exemption to this rule, personal data of individuals are processed by the following three S4AllCities Consortium partners(1) E-TRIKALA (Trikala - Greece), (2) PILS (Pilsen - Czech Republic) and (3) METRO BILBAO (Bilbao - Spain) for scientific research purposes solely related to the S4AllCities H2020 research project.The informed consent of these data subjects cannot be obtained since the data have been initially collected through cameras pre-installed in specific areas of the cities and are further processed for the testing and evaluation of the tools developed under the S4AllCities research. Appropriate safeguards, including data minimisation and both organisational and technological measures, have been implemented in accordance with the General Data Protection Regulation to ensure that no risks are posed to the rights and freedoms of the data subjects. A specific task of the S4AllCities project (T3.5) has been set out and is dedicated exclusively on the irreversible anonymisation of these datasets.
All necessary information can be found below and on the official website of each controller in the native language of the data subjects.
You can ask any questions and exercise your rights related to data protection by using the following contactsper case:
1.Controller: ANAPTYXIAKI ETAIREIA DIMOU TRIKKAION ANAPTYXIAKI ANONYMI ETAIREIA OTA - E-TRIKALA AE (E-TRIKALA), Kalampakas 28, Trikala 42100, Greece
Official website: www.e-trikala.gr/
2.Controller: SPRAVA INFORMACNICH TECHNOLOGII MESTA PLZNE, PRISPEVKOVAORGANIZACE (PILS), Dominikanska 4, Plzen 301 00, Czech Republic
Official website: www.sitmp.cz/
- On behalf of the controller: Mr. Jiri Bouchal, firstname.lastname@example.org
- Data Protection Officer (DPO): email@example.com
3.Controller: METRO BILBAO S.A., Calle Navarra 2, Bilbao 48001, Spain
Official website: www.metrobilbao.eus
- On behalf of the controller: Mr. Eduardo Ledesma, firstname.lastname@example.org
- Data Protection Officer (DPO): email@example.com
Types of data: The data that are processed are images of individuals, voice of individuals andvehicle registration plates collected by each controller via CCTV and other types of cameras. No special categories of personal data are processed.In particular:
1. E-TRIKALA: Personal data of the Trikala citizens and other visitors of the city of Trikala is processed by the controller through cameras deployed in the city of Trikala including CCTV and other types of cameras in the area of Milos Matsopoulou and at the e-Trikala premises.
2. PILS: Personal data of the Pilsen citizens and other visitors of the city of Pilsen is processed by the controller through CCTV and other types of cameras in the football stadium “Doosan Arena” and in a radius of 0.5 km around the stadium.
3. METRO BILBAO: Personal data of the Bilbao citizens and other visitors of the city of Bilbao is processed by the controller through CCTV and other types ofcamerasin the metro (stationsand trains) of Bilbao.
Lawful basis: Each one of the controllers processes personal data of their citizens or city visitors that is necessary for the performance of a task carried out in the public interest (Article 6(1)(e) GDPR), namely for ensuring the security and safety of the individuals that are captured by city cameras and for the prevention and detection of any criminal or illegal activity. Some of these datasets -only the minimum of data required for meeting the S4AllCities project’s objectives- is further processed for scientific research purposes. Further processing for scientific research purposes is a compatible processing operation based on Recital 50 GDPR provided that appropriate safeguards are implemented.
Purposes of processing: CCTV and other cameras are installed in the cities of Trikala, Pilsen and Bilbao for ensuring the safety and security of citizens and visitors of the cities on a daily basis (initial purpose). The minimum of data included in the relevant datasets is further processed for the S4AllCities research purposes.
Purpose 1: Anonymisation. In the context of T3.5 ‘Anonymisation mechanisms’ of the S4AllCities research project the personal data are anonymised by ATOS.
Purpose 2:Training, pilot demonstration and evaluation. The irreversibly anonymised data will then be processed for the three pilot demonstrations in the cities of Trikala (T8.3) in May 2022, Pilsen (T8.5) in June 2022 and Bilbao (T8.4) in September 2022, respectively.
Processor: ATOS is the S4AllCities partner that is responsible for the implementation of anonymisation mechanisms as part of T3.5 of the S4AllCities project. A data processing agreement has been drafted and signed by each controller and the processor in accordance with Article 28(3) GDPR.
Recipients:The anonymised data will be shared with some of the S4AllCities partners for the testing of the tools during the pilot demonstrations.
Transfer to non-EU countries: Personal data maybe transferred to the United Kingdom. In case the anonymised data are transferred to the S4AllCities partners from the UK (Bournemouth University, CDI),
an Adequacy Decision of Article 45 GDPR is in place for the UK ensuring an adequate level of protection.
Appointment of a Data Protection Officer by each controller (see contact details above). In addition, the S4AllCities project has an Ethics Manager, an Ethics Review Committee and an Independent Ethics Expert whose role is to monitor all project’s activities from an ethical and legal standpoint, to advise the Consortium and to ensure compliance with the applicable laws and the ethics standards.
· For the days of the pilot demonstrations: Physical signs informing the individuals in their native language about the processing of personal data through CCTV for scientific research purposes related to the S4AllCities project.
· Signature of a data processing agreement of Article 28(3) GDPR between each controller and the processor ATOS. Each agreement stipulates the rights and obligations of the parties and detailedbinding instructions are given by the controller to the processor.
· Carrying-out of a Data Protection Impact Assessment of Article 35 GDPR by each controller prior to the processing of personal data of the individuals monitored by the pre-installed city cameras. The outcome of each DPIA, as reviewed by the Ethics Manager of the project and each controller’s DPO, is that the measures are adequate and effective and that the processing is not likely to cause high risks to the rights and freedoms of the data subjects.
· Transmission from each controller to the processor ATOS of the minimum number of personal data that are needed (data minimisation) for the fulfilment of the S4AllCities research.
· Transmission of the data to the processor via approvedcryptographic/security tools.
· Access to the data only by authorised personnel of the processor that have a need-to-know.
· Anonymisation in real time: Processing of data by the processor in real time via video streaming without sound (voice is not processed as this channel is totally ignored while streaming) and restreaming in an anonymised form. The initial data are automatically in real time replaced by the anonymised ones.
· Use of irreversibly anonymised data for the testing and evaluation of the S4AllCities tools during the project’s three pilot demonstrations
Storage period: Since the implementation of anonymisation by the processor is via video streaming, streaming can be considered as an extremely temporary storagestrictly necessary by its nature to fulfil the purpose of data anonymisation. The irreversibly anonymised data will be stored by each controller and the processor until the end of the S4AllCities project (31 December 2022). Afterwards, they will be permanently deleted.
Data subject’s rights: The data subjects have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data (Article 15 GDPR) to the extent possible. The data subjects have also the right to lodge a complaint with a supervisory authority (Article 77 GDPR).
As the data are initially processed by each controller for the performance of a task carried out in the public interest and further processed for scientific research purposes in an irreversibly anonymised form in accordance with Article 89(1) GDPR, the following rights do not apply: the right to erasure (Article 17(3)(d) GDPR), the right to object (Article 21(6) GDPR), the right to rectification and the right to restriction. This is in compliance with the limitations stipulated by the GDPR and applicable national laws for processing operations carried out for scientific research purposes.
For relevant information and clarifications, you may send an email to the contact person on behalf of each controller and to the DPO of each controller (see above the contact details).